When working with Python to make HTTP requests or connecting to APIs over HTTPS, by default, SSL/TLS verification is enabled. However, there may be circumstances where you need to disable SSL verification. While it’s not recommended to disable SSL verification in a production environment due to security risks, it might be inevitable in a development or testing scenario where self-signed certificates are used, or the certificate authority is not recognized.
Table of Contents
Disabling SSL Verification in http.client
The http.client library is a low-level HTTP interface in Python. To disable SSL verification, you would typically override the context using the ssl module.
import http.client
import ssl
conn = http.client.HTTPSConnection(
"example.com",
context=ssl._create_unverified_context()
)
conn.request("GET", "/")
response = conn.getresponse()
print(response.read().decode())
Disabling SSL Verification in Requests
The requests library is a popular, higher-level HTTP library. Disabling SSL verification within requests is straightforward using the verify parameter.
import requests
response = requests.get("https://example.com", verify=False)
print(response.text)
Note: You may see InsecureRequestWarning when SSL verification is disabled. To suppress these warnings, you can adjust the logging level for urllib3.
import urllib3 urllib3.disable_warnings()
Alternatively, you can set REQUESTS_CA_BUNDLE environment variable to an empty string or to a non-existent file will effectively disable SSL verification.
import os
import requests
# Disable SSL verification
os.environ['REQUESTS_CA_BUNDLE'] = ''
# Now, make your requests
response = requests.get('https://example.com')
# Your code to handle the response...
Disabling SSL Verification in urllib3
For direct use of urllib3, you need to create a custom SSLContext and pass it when creating a connection pool.
import urllib3
http = urllib3.PoolManager(
cert_reqs='CERT_NONE',
assert_hostname=False
)
response = http.request('GET', 'https://example.com')
print(response.data.decode('utf-8'))
Disabling SSL Verification in aiohttp
aiohttp operates asynchronously and allows for SSL verification to be disabled by passing ssl=False on the client session.
import aiohttp
import asyncio
async def main():
async with aiohttp.ClientSession() as session:
async with session.get("https://example.com", ssl=False) as response:
print(await response.text())
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
Conclusive Summary
In this tutorial, we explored different methods to disable SSL verification across various Python packages, including http.client, requests, urllib3, and aiohttp. While disabling SSL verification can be helpful for local testing or dealing with self-signed certificates, it should not be used in a production environment as it makes the application vulnerable to man-in-the-middle attacks. Always ensure to handle SSL certificates appropriately and resolve any issues related to SSL verification in a secure manner for live applications.
References
